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Abstract — We study the capacity of secret-key agreement over 
a wiretap channel with state parameters. The transmitter com- 
municates to the legitimate receiver and the eavesdropper over 
a discrete memoryless wiretap channel with a memoryless state 
sequence. The transmitter and the legitimate receiver generate 
a shared secret key, that remains secret from the eavesdropper. 
No public discussion channel is available. The state sequence 
is known noncausally to the transmitter. We derive lower and 
upper bounds on the secret-key capacity. The lower bound 
involves constructing a common state reconstruction sequence at 
the legitimate terminals and binning the set of reconstruction 
sequences to obtain the secret-key. For the special case of 
Gaussian channels with additive interference (secret-keys from 
dirty paper channel) our bounds differ by 0.5 bit/symbol and 
coincide in the high signal-to-noise-ratio and high interference- 
to-noise-ratio regimes. For the case when the legitimate receiver 
is also revealed the state sequence, we establish that our lower 
bound achieves the the secret-key capacity. In addition, for 
this special case, we also propose another scheme that attains 
the capacity and requires only causal side information at the 
transmitter and the receiver. 



I. Introduction 

Secret keys are a fundamental requirement for any ap- 
plication involving secure communication or computation. 
An information theoretic approach to secret key generation 
between two or more terminals was pioneered in (4) 
and subsequently extended in ]5)-|[8). In the setup considered 
in these works, the transmitter communicates to a legitimate 
receiver and the eavesdropper over a memoryless broadcast 
channel and is interested in generating a secret key shared 
with the legitimate receiver. The legitimate terminals can also 
exchange an unlimited number of messages over a public 
channel. There has been a significant interest in developing 
practical approaches for generating shared secret keys between 
two or more terminals based on such techniques, see e.g., ||9l- 
lfl6l and references therein. 

In the present work, we study the secret key agreement 
capacity over a broadcast channel controlled by a random 
state variable. The importance of studying channels with 
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state parameters lfT7l - lfl9l has become increasingly evident 
in recent times due a variety of applications including fading 
channels [20|, broadcast channels [21] and digital watermak- 
ing [22] ■ For example in fading channels, the state vari- 
able could model the instantaneous fading coefficient of the 
channel. In broadcast channels the state sequence models an 
interfering message to another receiver while in watermarking 
systems the state sequence represents a host sequence on 
which information message needs to be embedded. Clearly 
depending on the application the state sequence may be 
known to either the sender or the receivers or both. In this 
paper, unless otherwise stated, we assume that the entire 
state sequence is known to the sender noncausally. As will 
be discussed, the seemingly more general case when each 
receiver also has (a possibly noisy) side information can be 
easily incorporated in this model. Some of our results only 
require causal transmitter side information although we note 
in advance that we do not consider this problem in detail. 

In the present paper we only focus on the case when there 
is no discussion channel available. We point the reader to 
our conference papers JT], (2) for some results on the case 
when a public discussion channel is available. Notice that our 
setup differs from [23|-[25| that study the wiretap channel 
with state parameters and require that the transmitter send a 
confidential message to the receiver and build on the wiretap 
channel model [26|. Our results indicate that the achievable 
secret-key rate can be significantly higher compared to the 
results in [23 1-[25 1. Recently an improved lower bound for the 
wiretap channel with causal state information at the transmitter 
and receiver has been reported in [27|. Interestingly it uses a 
block markov coding scheme, where a secret key is generated 
in each block as an intermediate step. 

After the conference papers JT], |f2] on which this paper 
is based appeared, the authors became aware about a re- 
cent work [28 1 where a similar secret-key agreement scheme 
over channels with noncausal channel state information is 
presented. This scheme is used in constructing a coding 
scheme that provides a tradeoff between secret-key and secret- 
message transmission. The paper [28| however does not fully 
explore the problem of secret key agreement over wiretap 
channels with state parameters. In particular to the best of 
our knowledge, it does not have the results in the present 
paper such as an upper bound on the secret-key capacity, the 
asymptotic optimality of the lower bound for the Gaussian 
case or the secret-key capacity for the case of symmetric CSI. 
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Fig. 1 . Wiretap channel controlled by a state parameter. The channel transition 
probability Py r ,y K \x,e is controlled by a state parameter s. The entire source 
sequence s n is known to the sender but not to the receiver or the eavesdropper. 
The sender and receiver generate a secret key re at the end of the transmission. 



II. Problem Statement 

A. Channel Model 

The channel model has three terminals — a sender, a 
receiver and an eavesdropper. The sender communicates with 
the other two terminals over a discrete-memoryless-channel 
controlled by a random state parameter. The transition proba- 
bility of the channel is p yr .y | x ,s( ) where x denotes the channel 
input symbol, whereas y r and y denote the channel output 
symbols at the receiver and the eavesdropper respectively. The 
symbol s denotes a state variable that controls the channel 
transition probability. We assume that it is independent and 
identically distributed (i.i.d.) from a distribution p 5 {-) in each 
channel use. Further, the entire sequence s n is known to the 
sender before the communication begins. 

As explained in section IH-CI the model generalizes easily 
to take into account correlated side information sequence at 
each of the receivers. 

B. Secret-Key Capacity 

A length n encoder is defined as follows. The sender sam- 
ples a random variables m x from the conditional distribution 
Pm x \s n ('\s n ). The encoding function produces a channel input 
sequence 

x n = f n {m x ,s n ) (1) 

and transmits it over n uses of the channel. At time i the 
symbol Xi is transmitted and the legitimate receiver and the 
eavesdropper observe output symbols y„ and y cl respectively, 
sampled from the conditional distribution p yr! y c | x ,s(')- The 
sender and receiver compute secret keys 



K = g„(m x ,s n ), / = /i„(y r n ). 



(2) 



A rate R is achievable if there exists a sequence of encoding 
functions such that for some sequence e n that vanishes as 
n — > oo, we have that Pr(« ^ /) < e n and 

1 



and 



-H(k) > R 



-/(«;y c n ) <£«• 



(3) 



(4) 



C. Extended Model 

In our proposed model we are assuming the state variable 
is only known to the transmitter and not to the receiving 
terminals. A more general model involves a state variable that 
can be decomposed into s = (st, s r , s e , So) where the sequence 
s™ is revealed noncausally to the sender whereas s™ and s™ 
are revealed to the legitimate receiver and the eavesdropper 
respectively while Sq is not revealed to any of the terminals. It 
turns out that the model in section Ill-Al includes this extended 
model. The secret-key capacity for this new model is identical 
to the secret-key capacity of a particular model in section IlLAl 
defined by: y r = (y r ,s r ) and y = (y ,s e ) and the channel 
transition probability 

p(yr,Ve\s t ,x) = ^2p(y r , y e \s , s r , s e , s t , x)p(s Q ,s r , s e \s t ). 

so 

(5) 

The equivalence can be established by noting that the modified 
channel preserves the same knowledge of the side information 
sequences as the original problem, the rate and equivocation 
terms only depend on the joint distribution y™, x n , s") 
and for any input distribution p(x n \s™), the extended channel 
satisfies 

n 

P{yl\ye\x n ,St) = ]]_p(Vri,Vei\Xi,Sti), (6) 

i=l 

where each term on the right hand side of © obeys ©. 

We omit a detailed proof in interest of space and point 
to the reader to J29] pp. 17—25] fl30j Chapter 7, pp. 7-54] 
for an analogous observation. Note that our model inherently 
uses the asymmetry in channel state knowledge between 
the eavesdropper and the legitimate receiver for secret key 
generation. While as discussed in this subsection, it can be 
easily extended to incorporate receiver side information, for 
simplicity in exposition we will suppress the availability of 
side information at the receivers. 

III. Main Results 
We summarize the main results of this paper in this section. 



A. Capacity Bounds 

We first provide an achievable rate (lower bound) on the 
secret-key capacity. 

Theorem 1: An achievable secret-key rate is 



R- 



max I(u;y T ) - I(u;y e ), 

Pu,Px\s,u 



(7) 



where the maximization is over all auxiliary random variables 
u that satisfy the Markov condition u — > (x, s) — > (y r ,y c ) and 
furthermore satisfy the constraint that 



I(u;y x )-I(u;s) > 0. 



(8) 



The largest achievable rate is the secret-key capacity. 



The intuition behind the coding scheme is as follows. Upon 
observing s™, the sender communicates the best possible 
reproduction u n of the state sequence to the receiver Now 
both the sender and the receiver observe a common sequence 
u n . The set of all codewords u n is binned into 2 nR bins 
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and the bin-index is declared to be the secret key. Note 
that the problem of communicating a state sequence with 
common knowledge to the receiver is studied in [31], [32|. 
This setup requires that the reconstruction sequence satisfy a 
certain distortion measure with respect to the state sequence. In 
contrast the common reconstruction sequence in this problem 
is an intermediate step used to generate a common secret key. 

While we do not have a matching upper bound to TheoremQ] 
the following result provides an upper bound to the secret-key 
capacity that is amenable to numerical evaluation. 

Theorem 2: The secret-key capacity is upper bounded by 
C < R+, where 



min max/(x, s; y r |y 

Py r ,y c |x, s e-P Px|s 



(9) 



where V denotes all the joint distributions p* y , s that have 
the same marginal distribution as the original channel. 

The intuition behind the upper bound is as follows. We 
create a degraded channel by revealing the output of the 
eavesdropper to the legitimate receiver. We further assume a 
channel with two inputs (x n ,s n ) i.e., the state sequence s™ 
is not arbitrary, but rather a part of the input codeword with 
distribution p 5 . The secrecy capacity of the resulting wiretap 
channel is then given by I(x, s; y r |y e )- 

Note that the problem of secret-key agreement is differ- 
ent from the secret-message transmission problem considered 
in Il23l - ll25ll . This is because the secret-key can be an arbitrary 
function of the state sequence (known only to the transmitter) 
whereas the secret-message needs to be independent function 
of the state sequence. For comparison, the best known lower 
bound on the secret-message transmission problem is stated 
below. 

Proposition 1: [23 1— [25j An achievable secret message 
rate for the wiretap channel with noncausal transmiter channel 
state information (CSI) is 

R = max I(u; y r ) — max (I(u; s), I(u; y c )) . (10) 

Pu,Px| U ,s 

We note that the secret-key rate (|7]) is in general strictly better 
than the secret-message rate ( fTOb . 

B. Secret Keys from Dirty Paper Coding 

We study the Gaussian case under an average power 
constraint. The channel to the legitimate receiver and the 
eavesdropper is expressed as: 



y r = x + s + z r 
y c = x + s + z c . 



(11) 



where z r ~ Af(0, 1) and z c — W(0, 1 + A) denote the 
additive white Gaussian nose and are assumed to be sampled 
independently. The state parameter s ~ A/"(0, Q) is also 
sampled i.i.d. at each time instance and is independent of both 
z r and z . Furthermore, the channel input satisfies an average 
power constraint E[x 2 ] < P. We assume s™ to be noncausally 
known to the sender but not to any other terminals. 

Thus the parameter P denotes the signal-to-noise ratio, the 
parameter Q denotes the interference-to-noise-ratio, whereas 
A denotes the degradation level of the eavesdropper. We now 



provide lower and upper bounds on the secret-key capacity^. 
We limit our analysis to the case when P > 1. 

Proposition 2: Assuming that P > 1, a lower bound on the 
secret-key agreement capacity is capacity is given by, 



= 1 1 (i A(P + Q + 2p^PQ) 
2° g \ P + Q + l + A + 2p^/PQ 

where \p\ < 1 and 

P{l-p 2 ) = 



p+Q + r 



(12) 



(13) 



Proposition 3: An upper bound on the secret-key capacity 
is given by, 

A(P + Q + 2^PCj) , ()4) 
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It can be readily verified that the upper and lower bounds are 
close in several interesting regimes. In Fig. [2] we numerically 
plot these bounds and state some properties below. We omit 
the proof due to space constraints. 

Proposition 4: The upper and lower bounds on secret- 
capacity satisfy the following 



(15) 
(16) 
(17) 



C. Symmetric CSI 

Consider the special case where the state sequence s is also 
revealed to the legitimate receiver. In this case we have a 
complete characterization of the secret-key capacity. 

Theorem 3: The secret-key capacity for the channel model 
in section IH-AI when the state sequence s™ is also revealed to 
the decoder is given by 

C sym = max I(u;y T \s) - I(u;y e \s) + H(s\y e ), (18) 

Pu|.OPx|«,»(-) 

where the maximization is over all auxilary random variables 
u that obey the Markov chain u —> (x.s) — > (y r ,y c )- 
Additionally it suffices to limit the cardinality of the auxiliary 
variable to + \X\) in (18). 

The achievability in STEi follows from (Q by augmenting 
yr = (.KrjS). Observe that ([8]) is redundant as I(u;y T ,s) — 
I(u; s) > holds. Furthermore the expression in (0 can be 
simplified as follows 

R~ = max I(u;y T ,s) - I(u;y e ) 

Pu,Vx\s. U 

= max I(u;y T \s) - I(u;y c \s) + J(s; u\y c ) (19) 

Pu:Px| S , U 

= max I(u;y r \s) ~ I(u;y c \s) + H(s\y c ) (20) 

Pu,P x \s,u 

where the last relation follows by noting that if u is an optimal 
choice in $1% then by selecting u* = (u,s) will leave the 

'Interestingly in the presence of public discussion, we have been able to 
characterize the secret-key capacity Q]. 
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Fig. 2. Bounds on the capacity of the "secret-keys from dirty paper" channel. In the left figure, we plot the bounds on capacity as a function of SNR (dB) 
when Q = 10 dB and A = 10 dB. The upper-most curve is the capacity with public-discussion | T| whereas the next two curves denote the upper and lower 
bounds on the capacity as stated in Prop.[J]and Prop. [2] The dotted curve is the secret message transmission lower bound HQ) evaluated for a jointly Gaussian 
input distribution. In the right figure we vary the degradation level at the eavesdropper A (in dB) and compute the secret-key rates for P = 2 and Q = 2. 
The upper-most curve is the secret-key capacity with public discussion (T|, the next two curves are the upper and the lower bounds, whereas the dotted curve 
is the secret message transmission rate evaluated for Gaussian inputs. 



difference in the two mutual information terms unchanged 
but increase the second term H(s\y c ) as specified in (120) . 
Notice that ( f20b is identical to ( fl~8b . The converse follows 
by an application of Csiszar's Lemma and is provided in 
section IVI-BI 

We provide another achievability scheme for Theorem [3] 
that only requires causal knowledge of s" at the encoder. The 
scheme is based on the following interpretation of (fist , The 
term I(u; y r |s) — I(u; y c \s) is the rate of a multiplexed wiretap 
codebook constructed assuming that all the three terminals 
have knowledge of s™. The second term H(s\y c ) is the rate of 
the additional secret key that can be produced by exploiting 
the fact that s" is only known to the sender and the legitimate 
terminal. This scheme is causal since the multiplexed code 
uses only current state to decide which codebook to use. 
Furthermore, since the state is known to the sender and 
receiver, the second term is also causal. 

We note that the capacity expression ( fT~8T > captures an 
interesting tension between two competing forces in choosing 
the optimal distribution. To maximize the contribution of the 
rate obtained from the multiplexed wiretap codebook, it is 
desirable to select u to be strongly correlated with s. However 
doing so will leak more information about s to the wiretapper 
and reduce the rate contribution of the second codebook. To 
maximize the contribution of the common state sequence, we 
need to select an input that masks the state sequence from the 
eavesdropper 1331 . We illustrate this tradeoff via an example 
in section IHI-DI 

Finally it can be easily verified that the the expression (IT8b 
simplifies in the following special case. 

Corollary 1: Suppose that for each s £ S the channel 
Py T ,y c \s= s ,x(yr, 2/e| s j x ) is sucn that the eavesdropper's channel 
is less noisy compared to the legitimate receiver's channel. 
Then the secret-key capacity with s" revealed to both the 



legitimate terminals is 

C = maxH(s\y e ). (21) 

Intuitively, when the wiretap channel cannot contribute to the 
secrecy, (fJTJ states that transmitter should select an input that 
masks the state from the output as much as possible. 

D. Symmetric CSI: Numerical Example 

It can be easily seen that for the dirty paper coding example 
in section HH-BI the secret-key capacity when s is also revealed 
to the legitimate receiver is infinity. More generally higher the 
entropy of s, higher will be the gains in the secret-key capacity 
with symmetric CSI. In this section illustrate the secret-key 
rate for an on-off channel for the receivers: 

y r = s r x + z r 

y (22) 
y c = s e x + z e , 

where both s r ,s e € {0,1}, the random variables are mutu- 
ally independent and Pr(s r = 0) = Pr(s e = 0) = 0.5. 
Furthermore we assume that s r is revealed to the legitimate 
terminals, whereas the eavesdropper is revealed y = (s e ,y c ). 
The noise random variables are mutually independent, zero 
mean and unit variance Gaussian random variables and the 
power constraint is that E[x 2 ] < P. 

We evaluate the secret-key rate expression for Gaussian 
inputs i.e., u = x ~ AT(0,Po) when s r = and u = x ~ 
J\f(0,Pi) when s r = 1. Further to satisfy the average power 
constraint we have that Pq + P\ < 2P. An achievable rate 
from Theorem [3] 

R = 7(x;y r |s r ) - /(x;y e |s r ) + ff(s r |y e ) (23) 
= 7(x;y r |s r ) - I(x; y e ,s e \s r ) + H(s r \s e ,y c ) (24) 

= i log(l + Pi) + ^E yc [H(p(y e ), l-p(y e ))} + \, (25) 
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Fig. 3. The achievable secret-key rate as a fraction of power allocated to the 
state s r = and SNR = 17 dB. The solid curve denotes the secret-key rate, 
the dashed curve denotes the rate of the secret-message, while the dotted curve 
denotes the conditional entropy term iT(s r |s e = l,y c = y e ) in \25\ . The 
upper solid and dashed curves denote the case of public discussion while the 
other solid and dashed curves denote the case of no public discussion. 
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Fig. 4. Optimal fraction of power that must be allocated to the state s r = 
to maximize the secret-key rate with Gaussian inputs. The curve marked with 
a (x) denotes the case of public discussion while the other curve denotes the 
case of no public discussion. 



where we have introduced 

( auo,Pq + i) r9 ~ 

p[Ve) ~ AU0,P + !) + 1) 

the aposterior distribution Pr(s r = 0|y e ) and the notation 
A/"y o (0, a 2 ) denotes the zero mean Gaussian distribution with 
variance a 2 evaluated at y c and where d25l > follows through a 
straightforward computation. 

In Fig. [3] we numerically evaluate this rate for SNR = 17 
dB. For comparison we also plot the corresponding rate with 
public discussion 

tfdisc = ^\og(l+2P 1 )+^E ye [H(p(y e ),l-p(y e ))]+^. (27) 

In Fig. [3] the solid curves show the secret key rate with 
and without public discussion, while the dashed curve is 
the entropy H(s r \s e = l,y c ) and the dotted curve denotes 
contribution of the wiretap code. Note that in general there is a 
tradeoff between these two terms. To maximize the conditional 
entropy we set Pq = P% = P/2, while to maximize the wiretap 
codebook rate we need to set Pq = and Pi = P. The 
resulting secret-key rate is maximized by selecting a power 
allocation that balances these two terms. The optimum fraction 
of power transmitted in the state s r = as a function of the 
signal to noise ratio is shown in Fig. [4] Note that no power is 
transmitted when the signal-to-noise ratio is below « —2.hdB. 
In this regime the channels are sufficiently noisy so that 
H(s r \y c ,s e = 1) w 1 even with Pq = and hence all the 
available power is used for transmitting the secret-message. As 
the signal-to-noise ratio increases more information regarding 
s r gets leaked to the eavesdropper and to compensate for 
this effect, a non-zero fraction of power is transmitted when 

S r = 0. 

IV. Secret key generation with noncausal 
Transmitter CSI 

In this section we provide Proofs of Theorem [T] and |2] i.e., 
the coding scheme and the upper bound for the secret key 
agreement problem. 



2»'(«;io,>Codewords per bin 




Fig. 5. Codebook for the secret key agreement problem. A total of 2 nI ("' ,y ' '> 
codewords are generated i.i.d. p u (-) and partitions into 2 nR bins so that thare 
are 2 n - f (" ;y °) sequences in each bin. Given s n , a jointly typical sequence u n 
is selected and its bin index constitutes the secret key. 

A. Proof of Theorem [7] 

The coding theorem involves constructing a common se- 
quence u n at the legitimate terminals and using it to generate 
a secret key. 

1) Codebook Generation: Assume that the input distribu- 
tion is such that I(u;y r ) > I(u;s) as required in TheoremQ] 
Let e n be a sequence of non-negative numbers that goes to 
zero such that 2e n < I(u;y r ) — I(u; s). 

• Generate a total of T = 2 r ^ I ^ y ' ) ^ 2en) sequences. Each 
sequence is sampled i.i.d. from a distribution p u { )- Label 
them u", . . . , Uy. 

• Select a rate R — I(u; y r ) — I(u; y ) — e„ and randomly 
partition the set sequences in the previous step into 2 nR 
bins so that there are 2 n ( / ("' y °)~ £ ") sequences in each 
bin. 

2) Encoding: 

• Given a state sequence s" the encoder selects a sequence 
u n randomly from the list of all possible sequences that 
are jointly typical with s" . Let the index of this sequence 
be L. 
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• At time i = 1,2, ... ,n the encoder transmits symbol x. L 
generated by sampling the distribution p x \u,s{'\ u ii s i)- 

3) Secret-key generation: 

• The decoder upon observing y™ finds a sequence u n 
jointly typical with y™. 

• Both encoder and the decoder declare the bin-index of 
u n to be the secret-key. 

4) Error Probability Analysis: An error occurs only if one 
of the following events occur: 

£ x = {(u n {l), s n ) £ % n (u, s) for all 1 < I < T} (28) 
£ a = {(u»(L),y?)tT?(u,y r )} (29) 
£ 3 = {(""(0,%") G r/ l (u,y r ) for some I + L} (30) 

Since the number of sequences T > 2 rl/ (" ;s ) it follows from 
the Covering Lemma [30, Chapter 3] that Pr(£i) — > as 
moo. Furthermore let £± = {(u n , s", x") G 7^' l (u, s,x)} 
and Pr(£f) — > 1 as n —> oo for any e' < e. Since 
p(y r n |u n (X),x™,s™) = Y[7=iP(yn\ui,Xi,s t ) it follows from 
the conditional typicality Lemma [30, Chapter 2] that Pr^H 
£i) — ► as n — > oo. Finally since every t/"(i) is generated 
i.i.d. p u (ui) and is independent of y™ for I ^ L it follows 
from the Packing Lemma 11301 Chapter 3] that Pr(£s) — ^ if 
T < 2™ 7 (" ;yi ^. 

5) Secrecy Analysis: We need to show that for the proposed 
encoder and decoder, the equivocation at the eavesdropper 
satisfies 

-H( K \y^)=I(u; yi )-I(u;y e ) + o n (l), (31) 
n 

where o„(l) is a term that goes to zero as n — > oo. 

Note that while the key k in general can be a function of 
(s n , m x ) as indicated in (Q}, in our coding scheme the secret 
key is a deterministic functino of u n and hence we have 



-H(K\y:) = ±H(k, u n \y:) - ±H(u n \y?, k) 

= -H(u n \y^--H(u n \y:, K ) 
n n 

= -H(u n \y^ - e n 



where the last step follows from the fact that there are 
To = 2 n ( / ( u;y °'~ e ") sequences in each bin. Again applying 
the packing lemma we can show that with high probability 
the eavesdropper uniquely finds the codeword u n (L) jointly 
typical with y™ in this set and hence Fano's Inequality implies 
that 

-H(u n \g,K)< En . 
n 

It remains to show that 

^H(u n \y2) > I(u;*) - I(u;y e ) - o„(l). 
Using the chain rule of the joint entropy we have 

-H{u n \y2) = -H(u n ) + -#(y e >") - -#(y e ") (32) 
n n n n 

= -H(u n ) + -H{y:\u\s n ) - -H( y :) + -I(s n ;y:\u n ). 

n n n n 

(33) 



We now appropriately bound each term in (|33l ). First note that 
since the sequence u n is uniformly distributed among the set 
of all possible codeword sequences, it follows that 



= i log, | C | 

= I(u;y T ) - 2e n 



(34) 



Next, as verified below, the channel to the eavesdropper 
(u n , s n ) — > y™, is memoryless: 

Pyn {u n, s n(y2\u n ,S n ) 

= E Py^^,Aye\u n ,s n ,x n )p xn \ un , s ,{x n \u n ,s n ) 



— ^ ^ II Py e I u.s,x{ye,i l^-i? Sj, Xi)p x \ u ^ 5 {Xi\lLi^ Sj) 
n 

= II Pyc\u,s,x(yej\ u i^ s i^ x i)Px\u,s( X i\ U i' S i) 
i=l Xi£X 
n 



The second step above follows from the fact that the channel 
is memoryless and the symbol Xi at time i is generated as a 
function of (uj,Sj). Hence we have that 

1 - 

-H( y :\s n , u n ) = y2 H (y^\ Si > u *)- w 



Furthermore note that 



I - 
-H{y:) <Y,H{y ei ). 

II ' 



(36) 



Finally, in order to lower bound the term I(s n ;y™\u n ) we 
let J to be a random variable which equals 1 if (s n , u n ) are 
jointly typical. Note that Pr(J = 1) = 1 - o„(l). 

i/(s";y e >") = -H(s n \u n ) - -ff(s>'\y c ") 
n n n 

> -H{s n \u n ,J= l)Pr(J = 1) - -H(s n \u n ,y?) 

> -H(s n \u n ,J= 1) - -H{s n \u n ,y2) - o n (l) 
n n 

> H(s\u) - -H(s n \u n ,y^) - o„(l) (37) 

n 



1 

> H(s\u) - - VF(si|ui,y e , i ) - o„(l) 



(38) 



where (|37T i follows from the fact that s™ is an i.i.d. sequence 
and hence conditioned on the fact that (s™, u n ) is a pair of 
typical sequence there are 2™- ff ( s l") -no "( 1 ) possible sequences 
s". 

Substituting (O, (|35), (O and (J38]) in the lower bound ([33]) 
and using the fact that as n —> oo, the summation converges 
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to the mean values, 

-H{n\y-) 
n 

= J(u;y r ) + H(y c \u, s) - H{y c ) + H(s\u)-H(s\u, y e )-o„(l) 
= I(u;y r ) - I(y e \s\u) - I(y e ; u) + /(y e ;s|u) - o„(l) 
= ^0;y) - ^(y c ; u) - o„(i) 

as required. 

B. Proof of Theorem [2] 

A sequence of length-n code satisfies: 

-H{n\y?) < e n (39) 
n 

-H{n\y r c l ) > -H{n) - e n (40) 



where ( f39b follows from the Fano's inequality since the 
receiver is able to recover the secret-key k given y™ and (l40l 
is a consequence of the secrecy constraint. Furthermore, note 
that k — s- (x™ , s" ) — > (y™ , y™ ) holds as the encoder generates 
the secret key n. Thus we can bound the rate R = —H(k) as 
below: 

nR<I(K;y?\y?) + 2ne n 

<I(K,s n ,x n ;y?\y:)+2ne n 

< I(s n ,x n ;y?\y?) + H( K \s n ,x n ) + 2ne n 

= I(s n ,x n ;y?\y?) + 3ne n (41) 



< ^ I(si,Xi;y rti \y eti ) + 3ne n 

i=l 

< n/(x,s;y r |y c ) + 3ns n 



(42) 
(43) 



where (HTt follows from the Fano Inequality because k can 
be obtained from (x™,s™), (f42b from from the fact that the 
channel is memoryless and the last step follows from the 
concavity of the conditional entropy term 7(x,s;y r |y e ) in the 
input distribution p XyS (see e.g., OH). 

Finally since the secret-key capacity only depends on the 
marginal distribution of the channel and not on the joint 
distribution we can minimize over all joint distributions with 
fixed marginal distributions. 




Received Point 
Transmitted Point 



Uncertainty sphere 
at eavesdropper 



Fig. 6. Secret-key agreement codebook for the dirty paper channel. The 
transmit sequence x n is selected so that u™ = x" + s n is a sequence in the 
codebook C. The smaller spheres above denote the noise uncertainty at the 
legitimate receiver. Their centres are the codewords in C. The larger sphere 
denotes the noise uncertainty at the eavesdropper. Our binning of smaller 
spheres guarantees that the noise uncertainty sphere of the eavesdropper has 
all possible messages, resulting in (asymptotically) perfect equivocation. 



Further evaluating each of the terms above with u — x + as, 
note that 

h(u\y c ) = h(x + as\x + s + z c ) — 
- log 2ne (p + a 2 Q + 2apy r PQ - 



and 



(P + aQ + (1 + a) P y/P~Q) 2 
P + Q + 1 + A + 2 P JPQ 



h(u\y x ) = h(x + as\x + s + z r ) 



- log 2ire ( P + a z Q + 2apv P Q 



(P + aQ + p(l + a)y/FQ)' 



P + Q + l + 2y/PQ 



This yields that 



V. Gaussian Case 

We develop the lower and upper bounds on secret-key 
agreement capacity for the Gaussian channel model. 



A. Proof of Prop. \2\ 

Recall that s - Af(0,Q). Choose x - Af(0,P) to be a 
Gaussian random variable independent of s and let E[xs] = 
py/PQ. Select u = x + as and the lower bound follows by 
evaluating 

R = I(u;y T ) - I(u;y c ) 
= h(u\y c ) - h{u\y r ) 



R 



1 



log 1 



PQ(q-l) 2 (l-p 2 ) 
P+a 2 Q+2pa^FZ2 



+ 2 log 



P + Q + l 



(44) 



Note that the first term in the expression above is maximized 
when a = 1. In this case we have that 



R 



as required. 




(45) 



(46) 



s 



To complete the proof we show that the choice a 
indeed feasible when P > 1 and (P, p) satisfy ( fT~3T >. 
In particular the constraint ([8} requires that 



1 is 



h(u\s) > h(u\y r ) 
=> h{x\s) > h(x + s\x - 



P + Q + 2p^PQ) 



-logPfl - p 2 ) > -log , 

2 5 v H '~2 5 \P + Q + l + 2pyfPQ 



Rearranging, 



P(l 



> 1 



> 1 



P + Q 



f 1 
(47) 



as required. 

It is worth comparing the choice of the auxiliary variable 
u = x + s in the present problem with the choice of optimal 
u in the dirty paper coding problem [35|. While the input x 
is independent of s in (35], as illustrated in Fig. [6] the optimal 
x in the secret-key problem has a component along s. This is 
because scaling the interference sequence increases the secret- 
key rate. Secondly recall that in ll35l we find the auxiliary 



codeword u n that is closest to as n where a = 



P+N 



In 



contrast this MMSE scaling is not performed in the secret- 
key problem. 

B. Proof of Prop. \3\ 

We evaluate the upper bound in Theorem [2] for the choice 
z c = z r + z$, where zg ~ AT(0, A) is independent of z r . 

I(s,x;y T \y e ) = h{ yi \y c ) - h(y T \y e ,x, s) 
= h(y T \y e ) - h(z r \z c ) 

< 1 -lo g (p + Q + l + 2VPQ- (^ + Q + 1 + V7W 
~2 & \ * v * P + Q + 1 + A + 2^PQ 

2 B V 1 + A 
where we have used the fact that the conditional entropy 
h(y r \y c ) is maximized by a Gaussian distribution [36|. The 
above expression gives ( fT4l . 

VI. Symmetric CSI 

We establish the secret-key capacity for the case of sym- 
metric channel state information i.e., when s n is revealed to 
both the transmitter and the legitimate receiver. 

A. Achievability for Theorem\3\ 

As explained in section Ull-Cl the achievability result follows 
directly from Theorem Q] by replacing y r with y r — (y r ,s) 
in the lower bound expression. We nevertheless provide an 
alternate scheme that only requires the knowledge of causal 
CSI at the transmitter. The idea is to use a different wiretap 
codebook for each realization of the state variable. In particular 
suppose that S = {si, . . . , sm} denote the set of available 
states. Since the encoder and the decoder are both aware of 
the state realization Si and can use this common knowledge 



to select the appropriate codebook for transmission. These 
codebooks are constructed assuming that the eavesdropper is 
also revealed the state. Suppose that we fix the distribution 
Pu,x\s=si(') in CD- Let 

Ri = I(u;y T \s = Sj) - I(u;y e \s = Sj) (48) 

and pi — Pr(s = Sj). For each i — 1,2 ... ,M, a wiretap 
codebook of length npi and rate Ri is constructed and used 
to transmit a message Kj. Another independent key k s of rate 
R s = H(s\y c ) is then generated by exploiting the fact that s n 
is not known to the eavesdropper. 

1) Codebook Construction: 

• For each i — 1 , . . . , M generate a codebook Cj of rate 
Ri — 2e„ and length rij = n(pi ~~ e n ) by sampling the 
codewords i.i.d. from the distribution p u i 5 ( - |si)- 

• Construct a codebook C s where the set of all typical 
sequences s" of size 2™( i/ ( s )~ 2e ™) is partitioned into 
2"(-R s -e„) b ms eac jj containing 2™( 7 ( s;y °)~ e ") sequences. 

2) Encoding: 

• For each i = 1, . . . , M the transmitter selects a random 
message Ki and a random codeword sequence i?* in the 
corresponding in the corresponding bin of Cj. 

• Upon observing s(j) = Si at time t = j, it selects the 
next available symbol of t" s and samples the channel 
input symbol from the distribution p x \ SM . 

• At the end of the transmission it looks for the bin index 
of s n in C s and declares this to be k s . 

• The overall secret-key is (k\, . . . , km, k s)- 

3) Decoding: 

• The decoder divides y™ into subsequences 
(y" 1 , . . . , y2l' ), where the subsequences y"* is 
obtained by collecting the symbols of y™ when s = Sj. 

• For i = 1, . . . , M it searches for a codeword t™ ; in C, 
— that is jointly typical with y"\ If no such codeword 

or multiple codewords is found an error is declared. 

Otherwise the bin index of t?* is taken as declared as 

the message ki. 
Through standard arguments it can be shown that the error 
probability in decoding at the legitimate receiver vanishes as 
n — > oo provided we select the rates according to (l48l . We 
omit the details due to space constraints. 

4) Secrecy Analysis: First, consider splitting y" = 
(y™] 1 , . . . , yf^f ) where the subsequence y 3 is obtained by 



grouping the symbols of y" when s 



From the con- 



struction of the wiretap codebook Cj it follows that 



^H(Kj\y%)>±H( Kj )-e T . 



j = l,...,M (49) 



Next since the messages are selected independently and the 
encoding functions are also independent it follows that 

l : H(Kj\Kl,...,Kj-l,Kj+i,.. 



n 

= 1 -H{ Kj \y? j )> 1 -H{ Kj )- 

Thus by the chain rule we have that 
1 



,KM,y e n ,s") 



n 



-H(kx, . . . , K M \y?,S n ) >R - £ r , 



(50) 



(51) 
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where R Q = H(ki,...,k m ) = I(u;y t \s) - I(u;y c \s). To 
complete the secrecy analysis we require the following addi- 
tional result 



where (|62T > and d64i > follow from the fact that k s is a deter- 
ministic function of s n while d63l follows by substituting (IBTl ) 
and $65[ follows by substituting d52l while (l66l l follows from 



Lemma 1: For any input distribution p UjX i s such that the fact that -H (s"|y", n s ) — > as n — >• oo, since from the 



I(u;y r \s) > I(u;y c \s) we have that 

iif(s"|yD > iif(s|y e ) - 
Proof: First observe that we can write: 

-#(s"|y e ") = -H{y:\s n ) + -H(s n ) -ff(y e ") 
n n n n 

= -H(y?\s n , u n ) + -I(u n ;y^\s n ) + -H(s n ) - 



(52) 



(53) 



-#(y") 



(54) 



We now observe the following. Since the channel from 
(u n ,s n ) — > y™ is memoryless, 



construction of C s there are at-most 2"( / ( s;yc ' -e ") sequences 
associated with any given bin. Hence the decoder can decode 
s n with high probability and hence Fano's inequality applies. 

B. Converse 

For any sequence of codes indexed by the codeword length 
n, we show that the secret key rate is upper bounded by the 
capacity expression (fT~ST > plus a term that vanishes to zero as 
the block length goes to zero. By applying the Fano inequality 
on the secret-key rate, we have that for some sequence e n that 
approaches zero as n goes to infinity that 



±H(y?\s n ,u* 
n 



1 

- } H(y ei \si, m) 

i=l 



H(y e \s,u) (55) 



nR < I(k; I) + ne n < J(«; s n ,y") + ne r . 



(67) 



as n -> oo. Next note that by construction 

-H(u n \s n )=I(u; yi \s)-2e r , 



(56) 



and since I(u 
Lemma 1]) tha 
1 



if 



|s) > I(u;y e \s) it follows (c.f. El 



H{u n \s n ,y:) < I(u;y T \s) - I(u;y e \s) - o„(l) (57) 



Combining the above two inequalities, 

-I(u n ;y:\s n )> I(u;y e \s)-o n (l) 
n 

Since the sequence s n is sample i.i.d. we have 

-H(s n ) = H(s) 
n 

and finally from the chain rule 

-H(y^) < -H(y ei ) H(y c ) 
n n 

as n -> oo. Substituting (|55ll, d58j, d59j and <[60j into 
completes the claim. 



(58) 



(59) 



(60) 



where the last step follows from the data processing inequality 
since / = h n (s n , y"). Furthermore from the secrecy condition 
J(«;;y™) < ne n and hence, 

nR < I(K;s n ,y?) - /(«;;y e n ) + 2ne n (68) 

n 

< ^/(/cjyri.SilyrV^i+i.s-Vi) - /(K;y ,<|ye _1 y"t+i»^i). 

(69) 

where the second step follows from the Csiszar sum- 
identity ll30l Chapter 2] applied to difference of mutual infor- 
mations. The derivation is analogous to |26l and is omitted. 

If we let Vi = {yl~ X y" i+ i, s? +1 ) and u % = (k, v,-) note that 
Vi — > Ui — > (xi,Si) — > (y r ,i,y e ,i) holds. Maximizing over each 
term in the summation we obtain that 



R < max/(iy; y r , s| v) — I(u;y c \v) 4 
= max7(u; y r ,s) - I(u;y e ) + 2e % 

Pu,x 



•2e„ 



(70) 
(71) 



where the second step follows from the fact that the max- 
imizing over v is redundant since ( T70l > involves a convex 
The secrecy analysis can be completed by combining (ED combination of I(u;y T ,s\v = «<) - /(u;y e |v = «») and 

hence we can replace with the term that results in the largest 
value. We recover ( TT8l from dTTT l by using an approach similar 
to l|2"0|). 



and d52l ) as shown below 



1 



^(^|y e n ) 



-iJ« ;Ks |y e ") = - J ff( K f| Ks ,y e " 
n n it 

> -^«|s",y e n ) + - J H'( Ks |y e ") 
n n 

> I(u-y r \s) - I(u-y c \s) + -H(K 8 \y?) - o n (l) 

n 

>I(u;y T \s)-I(u;y e \s) + -H(s n \y:) - -H(s n \y:,n s 
n n 



(61) 
(62) 
(63) 
-o n (l) 



VII. Conclusions 



We study the secret key agreement capacity over a wiretap 
channel controlled by a state parameter. Lower and upper 
bounds on the capacity are established when the state sequence 

(64) is known noncausally to the encoder. The lower bound is 

. T , i \ T/ i \ tt ? \ \ 1 rr , „i „ \ / 1N obtained by creating a common reconstruction sequence at 
>I(u;y T \s)-I(u;y e \s)+H(s\y e )--H(s n \y£,K s )-o n (l) J & . H t . 

n the legitimate terminals and binning the set of reconstruction 

(65) sequences to generate a secret key. When evaluated for the 
= I(u;y T \s) — I(u;y e \s) + H(s\y c ) — o n (l) (66) Gaussian case (secret-key from dirty paper) our bounds co- 
incide in the high SNR and high INR regimes and the gap 

^Intuitively for any typical s'\ the total number of sequences u n is between the two bounds is always less than 0.5 bits. We 

2 nJ l".>'rl s ). T ne probability that a sequence u n is jointly typical with y™ 

is a-n/cuaww. A precise argument involves bounding me expected size of also observe that the rates for secret-key agreement can be 
the list and invoking a concentration result. significantly higher than that proposed for the secret message 
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transmission problem. We also extend our earlier (2) results 
on symmetric CSI to the general case of asymmetric CSI. 

A complete characterization of the secret-key capacity is 
obtained for the case of symmetric channel state information 
i.e., when the state sequence is known to both the encoder 
and the decoder. In this case we also present another coding 
scheme that involves multiplexed wiretap codebooks and only 
requires causal knowledge of the state sequence at the encoder. 
The capacity expression also captures an interesting tradeoff 
between correlating the input with the state sequence to max- 
imize the contribution of the wiretap codebook and masking 
the state sequence from the eavesdropper. We illustrate this 
with a numerical example. 

In terms of future work it will be interesting to study 
the secret key agreement capacity when there is only causal 
state information available to the transmitter. While this paper 
establishes the capacity when there is symmetric CSI at 
both the legitimate terminals, the more general problem of 
two-sided CSI remains to be explored. In another direction, 
secret key agreement protocols also appear to be an important 
component in more general problems. For example in |28| 
the authors independently developed a secret-key agreement 
scheme as a building block in characterizing a secret message 
and secret key tradeoff for wiretap channels with correlated 
sources. Another recent work ll27l studies the problem of se- 
cret message transmission on wiretap channel with symmetric 
CSI and uses a block Markov encoding scheme that generates 
a secret key in each block |2|. Exploring such connections is 
an interesting direction for future research. 
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